CVE-2024-9648: CWE-434 Unrestricted Upload of File with Dangerous Type in WP Ulike WP ULike Pro
The WP ULike Pro plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the WP_Ulike_Pro_File_Uploader class in all versions up to, and including, 1.9.3. This makes it possible for unauthenticated attackers to upload limited arbitrary files like .php2, .php6, .php7, .phps, .pht, .phtm, .pgif, .shtml, .phar, .inc, .hphp, .ctp, .module, .html, .svg on the affected site's server which may make make other attacks like Cross-Site Scripting possible. Only versions up to 1.8.7 were confirmed vulnerable, however, the earliest tested version for a patch we have access to is 1.9.4, so we are considering 1.9.4 the patched version.
AI Analysis
Technical Summary
CVE-2024-9648 is a CWE-434 vulnerability in the WP_Ulike_Pro_File_Uploader class of the WP ULike Pro WordPress plugin. It allows unauthenticated attackers to upload files with dangerous extensions due to insufficient validation of file types in all versions up to and including 1.9.3. This can lead to limited arbitrary file uploads that may be leveraged for attacks such as Cross-Site Scripting. The earliest confirmed patched version is 1.9.4.
Potential Impact
Successful exploitation allows unauthenticated attackers to upload files with potentially dangerous extensions to the affected WordPress site. This can lead to limited arbitrary file upload scenarios, increasing the risk of Cross-Site Scripting and other attacks that rely on malicious file execution or content injection. The vulnerability does not directly allow full remote code execution but can be a stepping stone for further compromise.
Mitigation Recommendations
Upgrade WP ULike Pro to version 1.9.4 or later, where this vulnerability is patched. No other official mitigations are documented. Patch status is confirmed by the vendor's versioning information. Users should verify they are not running versions up to 1.9.3 to avoid exposure.
CVE-2024-9648: CWE-434 Unrestricted Upload of File with Dangerous Type in WP Ulike WP ULike Pro
Description
The WP ULike Pro plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the WP_Ulike_Pro_File_Uploader class in all versions up to, and including, 1.9.3. This makes it possible for unauthenticated attackers to upload limited arbitrary files like .php2, .php6, .php7, .phps, .pht, .phtm, .pgif, .shtml, .phar, .inc, .hphp, .ctp, .module, .html, .svg on the affected site's server which may make make other attacks like Cross-Site Scripting possible. Only versions up to 1.8.7 were confirmed vulnerable, however, the earliest tested version for a patch we have access to is 1.9.4, so we are considering 1.9.4 the patched version.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-9648 is a CWE-434 vulnerability in the WP_Ulike_Pro_File_Uploader class of the WP ULike Pro WordPress plugin. It allows unauthenticated attackers to upload files with dangerous extensions due to insufficient validation of file types in all versions up to and including 1.9.3. This can lead to limited arbitrary file uploads that may be leveraged for attacks such as Cross-Site Scripting. The earliest confirmed patched version is 1.9.4.
Potential Impact
Successful exploitation allows unauthenticated attackers to upload files with potentially dangerous extensions to the affected WordPress site. This can lead to limited arbitrary file upload scenarios, increasing the risk of Cross-Site Scripting and other attacks that rely on malicious file execution or content injection. The vulnerability does not directly allow full remote code execution but can be a stepping stone for further compromise.
Mitigation Recommendations
Upgrade WP ULike Pro to version 1.9.4 or later, where this vulnerability is patched. No other official mitigations are documented. Patch status is confirmed by the vendor's versioning information. Users should verify they are not running versions up to 1.9.3 to avoid exposure.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-10-08T18:46:58.735Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b56b7ef31ef0b553087
Added to database: 2/25/2026, 9:36:22 PM
Last enriched: 4/9/2026, 3:34:52 PM
Last updated: 4/11/2026, 5:48:26 PM
Views: 31
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.